The Harsh Truth of the Cybersecurity Talent Gap

Everyone is talking about the shortage in security talent. Literally, everyone. It’s not for naught though, when you look at the sheer volume of open positions out there. We must have a talent shortage, right?

I believe that somewhere beneath the hype and panic the answer is yes. But there is a harsh truth that very few people are willing to talk about. First and foremost, the talent shortage is largely self-created by an IT industry’s desire to find cheap labor by offshoring work. Second, the people in the current labor pool often are mismanaged, are not in the most appropriate roles and/or are not being supported properly. Let me explain.

First, let’s talk about how we got here. Early in the 2000’s the big rage in IT was to take “low-level work” and offshore it to India, China, Mexico and parts of the Eastern European bloc. Organizations of any measurable size pushed network and system administrator along with help desk and other jobs outside our borders. That meant the “low level” of the talent pool was offshore and not available to be grown, groomed and promoted into more strategic roles.

Companies wanted to “rent” lowest-cost, expendable resources as they only looked at the short-term cost savings. Oddly enough, they realized few cost savings, but that’s a discussion for another time. The result was that internal expertise never grew organically. The person managing password resets in the help desk had the potential to grow their career into something bigger over time, but that opportunity was gone due largely to the offshoring model.

Then, over a decade of explosive technology growth the people in mid-level positions and even those who managed to hold onto their low-level IT jobs became more experienced, grew their careers and moved up the chain of command. The startling realization is that now there was no one to fill those open positions at the mid-level because all the low-level talent wasn’t there to grow. Corporate knowledge was locked up in archaic knowledge management systems or ticketing systems at a third party or worse, it didn’t exist.

So now that the security organizations need those people who have a decade of experience, there are very few to be found. Unfortunately, the push to realize short-term financial goals has created this long-term talent gap issue. Organizations are hoping for a quick fix, but I’m sorry to say that one is not available. It will likely take 8-10 years to grow the right talent and address the current shortage, but it’s going to be painful until then.

Now, about that mismanagement of talent. Have a look around your organization. How much work is being done manually that should be automated by now? What about the drive for operational excellence and process development? These concepts seem foreign in much of the corporate security landscape. Smart people are doing tremendous amounts of work in super-human fashion through long hours and painful manual labor. Something isn’t right.

As someone who has studied threat intelligence (or cyber intelligence, cyber threat intelligence, or whatever you choose to call it) in enterprises large and small, I can tell you with absolute certainty there is much room for improvement. Balancing inputs and outputs in process is critical. Taking low-maturity input and piping it into a high-maturity process and expecting magic isn’t going to work.

As a concrete example of this, let’s take the threat intelligence program cycle. Acquisition à Triage à Refinement à Distribution à Execution (summarizing form our research and program development blueprint). The acquisition step is where data comes into the organization that starts and is the fuel for the process. Organizations my team studied are still taking in large amounts of data feeds without much proper triage and pushing right into refinement. At this refinement step a great deal of effort by some extremely intelligence people should yield something actionable. It rarely does.

In real life, too many organizations that we studied have hired people who can reverse-engineer and tear apart binaries without the organizational ability to then efficiently act on that output. While this is a high-value activity, it’s important for the organization to have reasonable processes for handling the output or refining those findings into actionable intelligence. Otherwise, it’s just a fun activity that yields no useful output, resulting in wasted time and money.

So, it turns out that if you manage to find smart people and convince them to join your team for a sum of money that doesn’t break the budget, the harder part comes next. Keeping these people meaningfully employed, that means giving them guidance, a fulfilling role and operational influence is difficult if you have not defined the processes and program for which you plan to hire them.

I can see why people say we have a talent shortage, and they may very well be right. But when I look at how many companies are staffing their “high-level talent” and where they want to get these people from, it’s becoming apparent that the problem we clearly have is one of our own making. Now we just need to grab a shovel and start digging out of this mess.

Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.